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Achieving FedRAMP Compliance 


Trend Micro” Deep Security™ capabilities make it easier to meet many key security 
requirements for federal information systems moving to cloud environments 


Building a Fed-Ready Cloud Offering : E 
If you're responsible for cyber security at a federal agency, or if you are LA 
a service provider planning an offering to support such agencies in their —_ 


transition to cloud storage and processing, you know that there is a long l Fed RAMP 


C h e C k | ist of re q u i re m e n t S to m ee t . Federal Risk Authorization Management Program 


The Federal Risk and Authorization Management Program (FedRAMP) 
requires all federal organizations that use, or plan to transition to, a cloud 


environment to implement the FedRAMP program for cloud security : 
controls based on NIST Special Publication 800-53, rev 4, which details : 
all security controls required for federal information systems under the : 
Federal Information Security Management Act (FISMA). | Trend Micro” Deep Security” 


; ; is Common Criteria 
Many cloud service providers already support a large number of these EAL >'cerlifed 


controls-those dealing with physical access to data storage facilities, f as 
network security, and the security of servers. Trend Micro Deep Security Mee 
offers advanced capabilities to help organizations satisfy the remaining 
controls relevant to data and application security. 





Advanced Security for the Cloud 


Trend Micro Deep Security provides, in both virtualized and physical 
environments, the combined functionality of a Common Criteria EAL2 Supported Platforms 

validated Firewall, Anti-Virus, Deep Packet Inspection, Integrity Monitoring, Trend Micro supports your 

Log Inspection, and support for multi-tenant virtual environments. FedRAMP-compliant offering on 


Deep Security host-based capabilities include: all the most popular cloud service 
providers, including: 


« Amazon Web Services (AWS) 
e Azure 
e VMware Hybrid 





e Real-time vulnerability scanning and protection 
e Intrusion prevention and malware protection 

e Continuous monitoring, logging, and reporting 

e Automated firewall and access-control rules 


Whichever service you choose to 
host your offering, Trend Micro is 
e Centralized management with multi-tenant support your security compliance partner. 


¢ Advanced malware and incident handling 





Multiple Modules Work Together 


Deep Security consists of multiple modules that each carry out specific security functions. Together, they help you 
meet the requirements of many FedRAMP controls. The primary Deep Security modules include: 


Deep Security Manager is a centralized Web-based management console to configure security policy and deploy 
protection to the enforcement components: the Deep Security Virtual Appliance and the Deep Security Agent. 


Firewall Module centralizes management of server firewall policy using a bidirectional stateful firewall. It supports 
virtual machine zoning and prevents denial of service attacks. Provides broad coverage for all IP-based protocols 
and frame types as well as fine-grained filtering for ports and IP and MAC addresses. 


Anti-malware Module provides both real-time and on-demand protection against file-based threats, including 
threats commonly referred to as malware, viruses, Trojans, and spyware. To identify threats, Anti-Malware checks 
files against a comprehensive threat database, portions of which are hosted on servers or kept locally as updatable 
patterns. Anti-Malware also checks files for certain characteristics, such as compression and known exploit code. To 
address threats, Anti-Malware selectively performs actions that contain and remove the threats while minimizing 
system impact. Anti-Malware can clean, delete, or quarantine malicious files. It can also terminate processes and 
delete other system objects that are associated with identified threats. 


Recommendation Scans identifies known vulnerabilities. The operation scans the operating system and also 
installed applications. Recommendation Scans automate scanning of systems and patch levels against the latest 
Critical Vulnerability and Exposure (CVE) database, to automatically apply Deep Security signatures, engines, 
patterns, and rules/filters to detect/prevent exploitation of these vulnerabilities and to produce audit logs and 
reports which can be used to support a continuous monitoring program or audits. 


Integrity Monitoring Module detects and reports malicious and unexpected changes to files and systems registry in 
real time, and is available in agentless form factor. Provides administrators with the ability to track both authorized 
and unauthorized changes made to the instance. The ability to detect unauthorized changes is a critical component in 
a cloud security strategy as it provides the visibility into changes that could indicate the compromise of an instance. 


Log Inspection Module provides visibility into important security events buried in log files. Optimizes the 
identification of important security events buried in multiple log entries across the data center. Forwards suspicious 
events to a SIEM system or centralized logging server for correlation, reporting and archiving. Leverages and 
enhances open-source software available at OSSEC. 


Intrusion Prevention Module is both an Intrusion Detections System (IDS) and an Intrusion Prevention System 
(IPS) which protects computers from being exploited by attacks against known and zero-day vulnerability attacks 
as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. 
Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and 
increases visibility into, or control over, applications accessing the network. Intrusion Prevention prevents attacks 
by detecting malicious instructions in network traffic and dropping relevant packets. 


Web Reputation Module protects against web threats by blocking access to malicious URLs. Deep Security uses 
Trend Micro's Web security databases from Smart Protection Network sources to check the reputation of 

Web sites that users are attempting to access. The Web site’s reputation is correlated with the specific 

Web reputation policy enforced on the computer. Depending on the Web Reputation Security 
Level being enforced, Deep Security will either block or allow access to the URL. 
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FedRAMP Controls 


The table below summarizes the key FedRAMP security controls that Deep Security supports. Each control is mapped 
to the corresponding Deep Security capabilities. (For a more detailed listing that includes each sub-control in full, 
please see our Deep Security FedRAMP Controls Mapping Document.) 


To learn more about how Trend Micro solutions protect cloud-hosted data and applications, 


please visit www.trendmicro.com/us/business/cloud-data 





Supported Control 


Access Control /Least Privilege 


AC-6 (4) Separate Processing Domains 


The information system provides separate processing domains to 
enable finer-grained allocation of user privileges. 


Audit and Accountability 


AU-2 Auditable Events 
The organization: 


A. Determines that the information system is capable of auditing 
the following events: [Assignment: organization-defined 
auditable events]; 

B. Coordinates the security audit function with other 
organizational entities requiring audit-related information to 
enhance mutual support and to help guide the selection of 
auditable events; 

C. Provides a rationale for why the auditable events are deemed to 
be adequate to support after-the- fact investigations of security 
incidents; and 

D. Determines that the following events are to be audited within 
the information system: [Assignment: organization-defined 
audited events (the subset of the auditable events defined in 
AU-2 a.) along with the frequency of (or situation requiring) 
auditing for each identified event]. 


AU-3 Content of Audit Records 


The information system generates audit records containing 
information that establishes what type of event occurred, when 
the event occurred, where the event occurred, the source of the 
event, the outcome of the event, and the identity of any individuals 
or subjects associated with the event. 


Supported sub-controls: 

AU-3 (1) Additional Audit Information 

AU-3 (2) Centralized Management of Planned Audit Record 
Content 

AU-6 Audit Review, Analysis, and Reporting 

The organization: 


a) Reviews and analyzes information system audit records 
[Assignment: organization-defined frequency] for indications 
of [Assignment: organization-defined inappropriate or unusual 
activity]; and 

b) Reports findings to [Assignment: organization-defined 
personnel or roles]. 


Supported sub-controls: 
AU-6 (1) Process Integration 
AU-6 (5) Scanning and Monitoring Capabilities 


Trend Micro Deep Security Capabilities 


Deep Security allows administrators to define fine-grained firewall 
rules/filters and user privileges on specific servers to create 
separate processing domains/zones. 


Deep Security lets you easily audit and log security-related events, 
and create custom reports that satisfy AU-2 requirements. 


Based on thorough inspection of host-based network traffic 
for malicious activity, key files for changes, and system logs for 
indicators of suspicious activity, Deep Security logs give you 

a record of time stamps, source and destination addresses, 
identifiers, event descriptions, success/fail indications, rules 
involved, and more, easily accessible through a centralized 
management system. 


If you use a SIEM product, it's easy to integrate security event 
information from Deep Security logs. 


Deep Security gives you the flexibility to log and report every 
relevant aspect of all security events, including type, time, place, 
source, outcome, and users or other identified individuals involved. 
Centralized management lets you configure security events, rules, 
policies, and all other auditable data to be logged. You can easily 
customize reports for specific audit requirements. 


Deep Security Log Inspection performs deep analysis of logged 
events to give you clear visibility into security events buried in log 
files, even across multiple servers and log entries. 


Recommendation Scan automatically scans your system 
configurations and patch levels against the latest Critical 
Vulnerability and Exposure (CVE) database and applies rules and 
filters to shield vulnerabilities. Automated audit logs and reports 
support continuous monitoring. 


Deep Security lets you centrally review and correlate audit data 
with threat detection (scanning and monitoring) data, with a syslog 
server interface or direct SIEM system input. 
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Supported Control 


Security Assessment and Authorization 


CA-2 Security Assessments 

The organization includes as part of security control assessments, 
[Assignment: organization-defined frequency], [Selection: 
announced; unannounced], [Selection (one or more): in-depth 
monitoring; vulnerability scanning; malicious user testing; insider 
threat assessment; performance/load testing; [Assignment: 
organization-defined other forms of security assessment]] 


CA-7 Continuous Monitoring 

The organization develops a continuous monitoring strategy and 

implements a continuous monitoring program that includes: 

a) Establishment of [Assignment: organization-defined metrics] to 
be monitored; 

b) Establishment of [Assignment: organization-defined frequencies] 
for monitoring and [Assignment: organization-defined 
frequencies] for assessments supporting such monitoring; 

c) Ongoing security control assessments in accordance with the 
organizational continuous monitoring strategy; 

d) Ongoing security status monitoring of organization-defined 
metrics in accordance with the organizational continuous 
monitoring strategy; 

e) Correlation and analysis of security-related information 
generated by assessments and monitoring; 

f) Response actions to address results of the analysis of security- 
related information; and 

g) Reporting the security status of organization and the information 
system to [Assignment: organization-defined personnel or roles] 
[Assignment: organization-defined frequency]. 


Configuration Management 


CM-2 Baseline Configuration 

Supported sub-controls: 

CM-2 (2) Automation Support for Accuracy/Currency 

The organization employs automated mechanisms to maintain 


an up-to-date, complete, accurate, and readily available baseline 
configuration of the information system. 


CM-2 (6) Development and Test Environments 

The organization maintains a baseline configuration for 
information system development and test environments that is 
managed separately from the operational baseline configuration. 


Trend Micro Deep Security Capabilities 


Deep Security Recommendation scan helps you meet both CA-2 
and CA-7. It lets you automate system scanning against the latest 
Critical Vulnerability and Exposure database, and automatically 
apply predefined rules or filters to prevent exploitation. Findings 
and activities are logged for audit and continuous monitoring. 


See above. 


With Deep Security Integrity Monitoring and Recommendation 
Scan capabilities, you can automatically scan critical files, folders, 
and registries for changes against baseline configurations, 

and automatically assign minimum recommended security 
configurations tailored for your specific hosts. 


Integrity Monitoring can assist in developing a systems baseline 
configuration and notifying you of any modifications to it. 
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Supported Control 


Configuration Management continued 


CM-6 Configuration Settings 
The organization: 


a)Establishes and documents configuration settings for 
information technology products employed within the information 
system using [Assignment: organization-defined security 
configuration checklists] that reflect the most restrictive mode 
consistent with operational requirements; 


b)Implements the configuration settings; 


c)ldentifies, documents, and approves any deviations from 
established configuration settings for [Assignment: organization- 
defined information system components] based on [Assignment: 
organization-defined operational requirements]; and 


d)Monitors and controls changes to the configuration settings in 
accordance with organizational policies and procedures. 


Supported sub-controls: 
CM-6 (1) Verification 


Contingency Planning 


Supported sub-control: 
CP-2 (6) Contingency Plan / Alternate Processing / Storage Site 


The organization plans for the transfer of essential missions and 
business functions to alternate processing and/or storage sites 
with little or no loss of operational continuity and sustains that 
continuity through information system restoration to primary 
processing and/or storage sites. 


Incident Response 


IR-4 Incident Handling 
The organization: 


a) Implements an incident handling capability for security incidents 
that includes preparation, detection and analysis, containment, 
eradication, and recovery; 

b) Coordinates incident handling activities with contingency 
planning activities; and 

c) Incorporates lessons learned from ongoing incident handling 
activities into incident response procedures, training, and 
testing/exercises, and implements the resulting changes 
accordingly. 


Supported sub-controls: 

IR-4 (1) Automated Incident Handling Processes 
IR-4 (2) Dynamic Reconfiguration 

IR-4 (9) Dynamic Response Capability 


Trend Micro Deep Security Capabilities 


Deep Security Integrity Monitoring and Recommendation 
Scan ensure that you are alerted whenever a critical security 
configuration object is modified. This same monitoring is also 
applied to the hypervisor layer in virtual environments. 


In addition, it lets you automatically apply pre-defined security 
configurations to new servers or virtual server instances as they 
come online. 


In virtual environments, Deep Security links policies, rules, and 
filters to specific virtual machines, and maintains them when the 
virtual machine is moved to a different site or host. In addition, it 
automatically assigns recommended security configurations to 
new virtual machines as they are created. 


The primary function of Deep Security is to detect threats, mitigate 
threats, and disseminate threat information in support of incident 
response and forensic analysis. 


Deep Security automatically provides an alert in response 

to security incidents, and can be configured to send email 
notifications triggered by specific alerts to appropriate members 
of your staff. 


It continuously scans for unpatched vulnerabilities in your systems, 
and automatically shields these vulnerabilities until a patch can be 
installed. Infected virtual machines can be tagged and quarantined 
automatically as part of a dynamic response. 
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Supported Control 


Incident Response continued 


IR-5 Incident Monitoring 


The organization tracks and documents information system 
security incidents. 


Supported sub-controls: 
IR-5 (1) Analysis 


IR-6 Incident Response/Reporting 

Supported sub-controls: 

IR-6 (1) Incident Reporting / Automated Reporting 

The organization employs automated mechanisms to assist in the 
reporting of security incidents. 

IR-6 (2) Incident Reporting / Vulnerabilities Related to Incidents 
The organization reports information system vulnerabilities 
associated with reported security incidents to [Assignment: 
organization-defined personnel or roles]. 


Risk Assessment 


RA-5 Risk Assessment / Vulnerability Scanning 

Supported sub-controls: 

RA-5 (1) Update Tool Capability 

The organization employs vulnerability scanning tools that 
include the capability to readily update the information system 
vulnerabilities to be scanned 


RA-5 (2) Update by Frequency / Prior to New Scan / When 
Identified 


The organization updates the information system vulnerabilities 
scanned [Selection (one or more): [Assignment: organization- 
defined frequency]; prior to a new scan; when new vulnerabilities 
are identified and reported]. 

RA-5 (3) Breadth / Depth of Coverage 


The organization employs vulnerability scanning procedures that 
can identify the breadth and depth of coverage (i.e., information 
system components scanned and vulnerabilities checked). 

RA-5 (4) Discoverable Information 

The organization determines what information about the 
information system is discoverable by adversaries and 
subsequently takes [Assignment: organization-defined corrective 
actions] 

RA-5 (6) Automated Trend Analyses 

The organization employs automated mechanisms to compare 
the results of vulnerability scans over time to determine trends in 
information system vulnerabilities 

RA-5 (8) Review Historic Audit Logs 

The organization reviews historic audit logs to determine if 

a vulnerability identified in the information system has been 
previously exploited. 

RA-5 (10) Risk Assessment / Vulnerability Scanning / Correlate 
Scanning Information 

The organization correlates the output from vulnerability scanning 
tools to determine the presence of multi- vulnerability/multi-hop 
attack vectors. 
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Trend Micro Deep Security Capabilities 


With the Deep Security Manager and Trend Micro Control 
Manager, you can manage and automate the creation and 
distribution of incident data and reports. 


The Trend Micro Smart Protection Network threat intelligence 
system uses a global network of threat intelligence sensors to 
continually update email, web, and file reputation databases in the 
cloud, to find and block threats before they reach your systems. 


Deep Security supports this control by letting you 
automatically produce and distribute alerts and reports as 
required by your policies and compliance requirements. 


Specific types of reports, including vulnerability information, 
can be automatically sent to a responsible party within 

your organization. This information also is used to update 
vulnerability shielding rules, which can be pushed out to 
thousands of servers and endpoints, often protecting you 
within hours of the vulnerability’s discovery. 


Deep Security Recommendation Scan scans your system 
against the latest Critical Vulnerability and Exposure (CVE) 
database for vulnerabilities and patch levels, to ensure that all 
unpatched vulnerabilities are identified, reported, and shielded 
automatically, using the latest policies. 


The scan engine is updated with information about new 
vulnerabilities as soon as it is available, often within hours of 
their discovery. 


Logs and audit records show that Deep Security scans 
individual servers and correlates data to provide the depth and 
breadth of coverage. 


Deep Security's firewall module detects intruders 
reconnoitering your systems, and alerts specified 
administrators. 


Deep Security tracks and reports statistical and trend 
information at various levels, to support your efforts to 
optimize effectiveness. 


Updated rules, patterns, and signature files are added to 
Deep Security with each new vulnerability uncovered. Audit 
and log information are always available to support historical 
correlation. 


Deep Security provides a single-pane-of-glass view on multiple 
suspicious activities, through network packet inspection, log 
inspection, object integrity monitoring and audit records that 
could lead to a successful attack on the information system if 
allowed to develop. 





Supported Control 


System and Communications Protection 


SC-7 Boundary Protection 
The information system: 


a) Monitors and controls communications at the external boundary 
of the system and at key internal boundaries within the system; 


b) Implements subnetworks for publicly accessible system 
components that are [Selection: physically; logically] separated 
from internal organizational networks; and 


c) Connects to external networks or information systems only 
through managed interfaces consisting of boundary protection 
devices arranged in accordance with an organizational security 
architecture. 


Supported sub-controls: 

SC-7 (5) Deny by Default / Allow by Exception 

SC-7 (9) Restrict Threatening Outgoing Communications Traffic 
SC-7 (11) Restrict Incoming Communications Traffic 

SC-7 (12) Host-Based Protection 

SC-7 (16) Prevent Discovery of Components / Devices 

SC-7 (17) Automated Enforcement of Protocol Formats 


SC-7 (19) Blocks Communication From Non-Organizationally 
Configured Hosts 


SC-7 (20) Dynamic Isolation / Segregation 


SC-32 Information System Partitioning 


The organization partitions the information system into 
[Assignment: organization-defined information system 
components] residing in separate physical domains or 
environments based on [Assignment: organization-defined 
circumstances for physical separation of components]. 


SC-36 Distributed Processing and Storage 


The organization distributes [Assignment: organization-defined 
processing and storage] across multiple physical locations. 


System and Information Integrity 


SI-2 Flaw Remediation 
The organization: 
a) Identifies, reports, and corrects information system flaws; 


b) Tests software and firmware updates related to flaw 
remediation for effectiveness and potential side effects before 
installation; 

c) Installs security-relevant software and firmware updates within 
[Assignment: organization-defined time period] of the release of 
the updates; and 


d) Incorporates flaw remediation into the organizational 
configuration management process 


Trend Micro Deep Security Capabilities 


Deep Security provides host-based boundary protection against a 
wide variety of threat modalities. 


Deep Security provides agentless and agent-based protection for 
physical, virtual, and cloud-based computers. Protection includes: 


e Anti-Malware 

e Web Reputation 

+ Firewall 

e Intrusion Detection and Prevention 

e Integrity Monitoring 

* Log Inspection 

The Deep Security firewall solution provides subnetwork controls 


that architecturally separate your public front-end systems from 
your internal networks. 


Deep Security's stateful firewall uses whitelisting to deny all traffic 
you have not specifically allowed. You may specify rules for each 
host and virtual machine. Application control rules are applied 

to all outbound traffic, providing the ability to detect unusual or 
unexpected protocols and port usage. 


The Deep Security firewall functionality gives you the ability to 
create Trust Zones in a physical or virtualized environment. Deep 
Packet Inspection provides flow control between the various 
machines, either physical or virtualized, in the different Trust 
Zones. 


Deep Security supports this control by making it easy to 
synchronize processing and storage security across multiple sites. 
Within the virtualized environment, Deep Security ensures that 
machines located in any location all have correct security policies 
and configurations. 


Deep Security Recommendation Scan supports this requirement 
by letting you automate scanning of systems and patch levels 
against the latest Critical Vulnerability and Exposure (CVE) 
database, to automatically apply Deep Security rules/filters to 
detect/prevent exploitation of these vulnerabilities, and to produce 
audit logs and reports which can be used to support a continuous 
monitoring program or audits. 
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Supported Control 


System and Information Integrity continued 


SI-3 Malicious Code Protection 

The organization: 

a Employs malicious code protection mechanisms at information 
system entry and exit points to detect and eradicate malicious 
code; 

b) Updates malicious code protection mechanisms whenever 
new releases are available in accordance with organizational 
configuration management policy and procedures; 

c) Configures malicious code protection mechanisms to: 

1. Perform periodic scans of the information system 
[Assignment: organization-defined frequency] and real- 
time scans of files from external sources at [Selection (one 
or more); endpoint; network entry/exit points] as the files 
are downloaded, opened, or executed in accordance with 
organizational security policy; and 

2. [Selection (one or more): block malicious code; quarantine 

malicious code; send alert to administrator; [Assignment: 
organization-defined action]] in response to malicious code 
detection; and 

d) Addresses the receipt of false positives during malicious code 
detection and eradication and the resulting potential impact on 
the availability of the information system. 


Supported sub-controls: 

SI-3 (1) Central Management 

SI-3 (2) Automatic Updates 

SI-3 (4) Updates Only by Privileged Users 
SI-3 (7) Nonsignature-Based Detection 
SI-3 (8) Detect Unauthorized Commands 
SI-3 (10) Malicious Code Analysis 
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Trend Micro Deep Security Capabilities 


Deep Security Anti-Malware can be configured to provide: 

e The applicable real-time policies that apply during different 
periods of the day/week 

e The policy for full scheduled or manual scans 

e Exclusions of file types and directories 

* Real-time behavior (scanning reads and/or writes) and 
applicable actions 

Upon detection of a file-based virus, Deep Security performs 

the actions you have specified on a virtual or physical machine, 

including: 

e Clean the virus from the file 

* Quarantine the file 

e Delete the file 

The Deep Security, Intrusion Prevention Module is a host-based 

IDS/IPS that protects host computers from being exploited by 

attacks against known and zero-day vulnerabilities, as well as 

against SQL injections attacks, cross-site scripting attacks, and 

other web application vulnerabilities. 


It shields vulnerabilities until code fixes can be completed. It 
identifies malicious software accessing the network and increases 
visibility into, or control over, applications accessing the network. 





Supported Control 


System and Information Integrity continued 


Sl-4 Information System Monitoring 
The organization: 
a) Monitors the information system to detect: 


1. Attacks and indicators of potential attacks in accordance with 
[Assignment: organization-defined monitoring objectives]; and 


2. Unauthorized local, network, and remote connections; 


b) Identifies unauthorized use of the information system through 
[Assignment: organization-defined techniques and methods]; 


c) Deploys monitoring devices: (i) strategically within the 
information system to collect organization- determined essential 
information; and (ii) at ad hoc locations within the system to track 
specific types of transactions of interest to the organization; 


d) Protects information obtained from intrusion-monitoring tools 
from unauthorized access, modification, and deletion; 


e) Heightens the level of information system monitoring 
activity whenever there is an indication of increased risk 
to organizational operations and assets, individuals, other 
organizations, or 


f) the Nation based on law enforcement information, intelligence 
information, or other credible sources of information; 


g) Obtains legal opinion with regard to information system 
monitoring activities in accordance with applicable federal laws, 
Executive Orders, directives, policies, or regulations; and 


h) Provides [Assignment: organization-defined information 
system monitoring information] to [Assignment: organization- 
defined personnel or roles] [Selection (one or more): as needed; 
[Assignment: organization-defined frequency]]. 


Supported sub-controls: 

Sl-4 (2) Automated Tools for Real- Time Analysis 
SI-4 (3) Automated Tool Integration 

SI-4 (4) Inbound and Outbound Communications Traffic 
SI-4 (5) System -Generated Alerts 

SI-4 (7) Automated Response to Suspicious Events 
SI-4 (9) Testing of Monitoring Tools 

SI-4 (11) Analyze Communications Traffic Anomalies 
Sl-4 (12) Automated Alerts 

SI-4 (13) Analyze Traffic / Event Patterns 

Sl-4 (15) Wireless to Wireline Communications 

Sl-4 (23) Host-Based Devices 

SI-4 (24) Indicators of Compromise 


Trend Micro Deep Security Capabilities 


Deep Security satisfies this requirement through the combined 
functionality of Deep Packet Inspection, Firewall, Anti-Virus, 
Integrity Monitoring, and Log Inspection. The ability to respond 
quickly to new or emerging threats and provide corrections to 
vulnerabilities is supported by the Trend Micro™ Smart Protection 
Network global threat information system. 

Deep Packet Inspection (DPI) provides an IDS/IPS capability, 
which protects your operating systems, commercial off-the-shelf 
applications, and custom web applications against attacks such 
as SQL injection and cross-site scripting. Security updates that 
provide protection against newly discovered vulnerabilities are 
automatically delivered to host machines. Detailed event records 
are produced, which provide valuable information, including the 
source of the attack, the time, and what your potential attacker 
was attempting to exploit. The Deep Packet Inspection module 

is available in both the Deep Security Agent and Deep Security 
Virtual Appliance for VMware ESX/ESXi. 

The firewall module is enterprise-grade, bi-directional, and stateful. 
It is used to limit communication by source and destination port, 
and by IP and MAC addresses, and is protocol-aware. By limiting 
traffic, the attack surface of your system is reduced, as is the risk 
of unauthorized access. 

Reconnaissance detection is supported by the ability to detect 
reconnaissance activities such as port scans. 

When it detects a file-based virus, Deep Security performs the 
actions you specify in advance: 

e Clean the virus from the file 

* Quarantine the file 

* Delete the file 

The Anti-Virus module performs real-time, scheduled, and on- 
demand scans for file-based viruses based upon known signatures, 
and carries out scheduled scans at the time and frequency 
configured by the authorized administrator, in the physical or in the 
virtualized environment at the hypervisor level. 

Integrity Monitoring monitors critical system objects such as files, 
folders, registry entries, processes, services, and listening ports. 
An integrity monitoring object baseline consists of a 

combination of the following object attributes; Created, Last 
Modified, Last Accessed, Permissions, Owner, Group, Size, Hash 
(SHA1,SHA256,MD5), Flags, SymLinkPath, Inode Number, Device 
Number, Blocks Allocated. 
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Supported Control 


System and Information Integrity continued 


SI-5 Security Alerts, Advisories and Directives 

The organization: 

a) Receives information system security alerts, advisories, and 
directives from [Assignment: organization-defined external 
organizations] on an ongoing basis; 

b) Generates internal security alerts, advisories, and directives as 
deemed necessary; 

c) Disseminates security alerts, advisories, and directives to: 
[Selection (one or more): [Assignment: organization-defined 
personnel or roles]; [Assignment: organization-defined elements 
within the organization]; [Assignment: organization-defined 
external organizations]]; and 

d) Implements security directives in accordance with established 
time frames, or notifies the issuing organization of the degree 
of noncompliance. 


SI-7 Software, Firmware and Information Integrity 


The organization employs integrity verification tools to detect 
unauthorized changes to [Assignment: organization-defined 
software, firmware, and information]. 


Supported sub-controls: 
SI-7 (1) Integrity Checks 
SI-7 (13) Code Execution In Protected Environments 


Trend Micro Deep Security Capabilities 


Deep Security can assist in supporting this control by providing 
you with configurable security alerts. You can also export security 
alert data to syslog servers and SEIMs. You can also configure the 
frequency of alerts. 


Deep Security Integrity Monitoring monitors critical system 
objects such as files, folders, registry entries, processes, services, 
and listening ports and will detect any changes to critical system 
objects by comparing with existing baselines, established as 
snapshots when the integrity rules are created. 


Based on rules you select, Deep Security alerts you when an 
integrity breach is detected. 


To learn more about how Trend Micro Deep Security can help you to create cloud-hosted offerings that comply with 
federal procurement regulations, please call 1-888-762-8736 
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